spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: possibilities for 2822

2005-08-20 16:57:21
from [Scott Kitterman] [Permanent Link] 
-----Original Message-----
From: Seth Goodman [mailto:sethg(_at_)GoodmanAssociates(_dot_)com]
Sent: Saturday, August 20, 2005 1:41 PM
To: spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
Subject: RE: [spf-discuss] possibilities for 2822



From: Scott Kitterman [mailto:spf2(_at_)kitterman(_dot_)com]
Sent: Saturday, August 20, 2005 11:13 AM


<...>


I'm thinking of the periodically discussed op=dkim as the domain owner
asking receivers to check DKIM (go to DATA) and not reject an SPF
Fail that passes DKIM.


That's certainly on possible way to define op=*.  I think of op=*
as saying
that the sender always uses a given protocol for 2822, so fail the message
after data if it is _not_ signed with that protocol.  For me, an
SPF fail is
good enough reason for rejection before data (once the forwarding issue is
dealt with properly).  Giving that up by deferring to a 2822 protocol pass
permits an attacker to mount a DKIM DDoS that doesn't even have
to come from
the domain's designated sending MTA's.  If you make op=* means
"always uses
this 2822 protocol", then you can at least reject some of the
attack before
data.  If you find messages that pass SPF but don't pass the 2822
protocol,
you have identified one of the attackers and can submit that as
evidence to
get their entire domain blacklisted.


Yes.  The tricky part of "once the forwarding issue is dealt with properly".
What is properly?

I think the DKIM and SPF have the potential to complement each other nicely.
Some examples:

 - Direct point to point e-mail: both work fine
 - Traditional forwarding: DKIM works fine, but SPF has issues
 - Mailing lists:  SPF works fine, but DKIM has issues if content is
modified.

Now this is assuming that DKIM actually ends up being an anti-forgery
technology.  There are those on the DKIM lists that are actively opposing
that.  They just want anybody to be able to sign anything.

So I'm thinking that if you look for a Pass (or non-Fail) from SPF and then
from DKIM if the sender has promised you DKIM as an option in his sender
policy, then you've got almost all the bases covered without the whole world
having to upgrade.

The one area that isn't covered as far as I see it is web enabled mailers
(e.g. the greeting card problem).  They have to upgrade regardless.  For
them, I think the existing advice is still good:

http://spf.pobox.com/webgenerated.html

Are there any other categories I've missed?

I realize that there are other ways to solve the forwarding problem, but
DKIM happens to be one that has a lot of momentum behind it right now.

Scott K
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Re: No more xxxx=yes please, william(at)elan.net
Next by Date:  RE: possibilities for 2822, Seth Goodman
Previous by Thread:  RE: possibilities for 2822, Seth Goodman
Next by Thread:  RE: possibilities for 2822, Seth Goodman
Indexes:  [Date] [Thread] [Top] [All Lists]